Essential cookies only — Cookie Policy.

💬 SOP-07 — Diceware Passphrase Generator

Generate a memorable passphrase

3–6 random words, live entropy scoring, multiple formats. Wordlist selected with crypto.getRandomValues() — nothing transmitted.

💬 passphrasemaker.net — diceware generator

Click "Generate Passphrase" to begin
Entropy (bits)
Words
Characters
Crack time
Word count
4 words
Separator
Options
Preset use case
🔒 All generation uses crypto.getRandomValues() — OS hardware entropy · Zero network requests · Nothing stored
Why Passphrase Maker

The NCSC approach made effortless

Random generation for unpredictability. Real words for memorability. Live entropy for transparency.

🎲

Genuine Diceware method

Words are selected using crypto.getRandomValues() with rejection sampling for a perfectly uniform distribution — the same entropy as physical Diceware dice.

🧠

Built to be memorised

Four concrete words create a scene you can visualise. The memorability score estimates how quickly the generated passphrase can be retained using the image-linking technique.

📊

Live entropy scoring

Bits of entropy, estimated crack time, and strength rating update in real time with every option change — so you understand the security implications of each choice.

🔒

Nothing transmitted

The wordlist is embedded in the page. All selection happens in your browser. Open DevTools → Network and generate — you will see zero requests during generation.

Security Reference

Entropy by word count

Based on a 1024-word curated wordlist (10 bits per word). All times assume 10 billion guesses per second — a high-end dedicated cracking machine.

WordsEntropyCharacters (spaced)Crack time estimateRecommended for
3 words30 bits~18 chars~107 secondsLow-stakes accounts with MFA
4 words40 bits~24 chars~30 hoursGeneral accounts — recommended baseline
5 words50 bits~30 chars~35 yearsMaster passwords, accounts without MFA
6 words60 bits~36 chars~36,500 yearsEncryption keys, highest-value accounts
NCSC Cyber Aware baseline: 3 words. NIST SP 800-63B 2025 minimum: 15 characters. Adding a number and symbol adds ~12–16 bits above these figures.
The Evidence

Why length and randomness beat complexity

2016
Year NCSC first published three-random-words guidance, ahead of NIST by a year
NCSC Cyber Aware
NIST
SP 800-63B (2025) removed mandatory complexity rules. Length and randomness are the standard.
NIST SP 800-63B-4
12.9
Bits of entropy per word from the full 7,776-word Diceware list
Arnold Reinhold / EFF
0
Network requests made during passphrase generation — fully offline
passphrasemaker.net
Recommended Tools

Where to store your passphrases

Affiliate disclosure: Some links earn a small commission at no extra cost to you. We only recommend tools that meet strong security standards. Full disclosure →

🗝️ Bitwarden

Open-source, independently audited password manager. Free tier for individuals; Families plan covers 6 users. Store all your generated passphrases securely. Zero-knowledge encryption — Bitwarden cannot read your vault.

Try Bitwarden →

1️⃣ 1Password

Polished password manager with an Emergency Kit — a printable recovery document generated at setup. Excellent for users who want a guide through secure configuration. Watchtower feature monitors saved credentials against breach databases.

Try 1Password →

📘 EFF Diceware Guide

The Electronic Frontier Foundation's free printed Diceware guide teaches the physical dice method alongside the EFF large wordlist. Recommended for users who want a method with zero software dependency for their most sensitive credentials.

Read the EFF guide →
About

Built by an hobbyist with a keen interest in password security and online safety

The guides and generator on this site are written and maintained by Daniel Hayes, an hobbyist with a keen interest in password security and online safety who has advised organisations on password policy and authentication for over a decade. Daniel's work includes implementing NIST SP 800-63B-aligned authentication systems and delivering NCSC-aligned password guidance to public sector and commercial organisations.

All content aligns with the NCSC Cyber Aware guidance, NIST SP 800-63B 2025, and the EFF Diceware method.

About Daniel Hayes →
Our Promises
NCSC & NIST alignedAll guidance follows NCSC Cyber Aware and NIST SP 800-63B 2025.
🎲
Genuine CSPRNGcrypto.getRandomValues() with rejection sampling. Uniform word distribution — no bias.
🔒
Zero transmissionWordlist is embedded. Nothing sent anywhere during generation.
🆓
Always freeNo account, no subscription, no email address required.
🇬🇧
UK operatedKokal Operations Ltd, England & Wales. UK GDPR compliant.

Our Portfolio

Specialist password and passphrase tools for every audience.

bestpasswordgenerator.orgStrength visualiser
🌿freestrongpassword.comBeginner wizard
instantpasswordgenerator.orgBulk generator
🔑ironvaultkeys.comEnterprise compliance
🔧randompasswordtool.comAPI simulator
🔐securekeygenerator.comPrivacy-maximalist
🏦titanpasswords.comBanking-grade
👨‍👩‍👧safepassbuilder.comFamily safety
🛡️trustypassword.comAnti-phishing
FAQ

Passphrase questions answered

The NCSC recommends using three randomly selected words as the basis for a strong, memorable password. This produces passwords long enough to be secure, random enough to resist dictionary attacks, and memorable enough that users don't need to write them down. Length — not complexity — is the primary driver of password strength.
Yes, when correctly generated. A 4-word passphrase provides approximately 40 bits of entropy — comparable to a 10-character random character password and sufficient for most accounts with MFA. A 5-word passphrase (50 bits) resists all practical attacks for decades. The security comes from random word selection using a CSPRNG, not from the words themselves.
Making up a sentence produces a passphrase based on your thoughts and patterns — dramatically reducing actual entropy. Randomly generated words — selected by a CSPRNG with no human input — provide the entropy their word count promises. The words may not form a meaningful sentence, but they are unpredictable to any attacker and can be memorised with the visualisation technique.
Use 5 or 6 words. Five words provides approximately 50 bits of entropy — the minimum we recommend for a credential protecting all your other passwords. Six words (60 bits) is appropriate for encryption keys. Use the "master password" or "encryption key" preset in the generator for the correct defaults.
Yes. Enable "Capitalise" to add uppercase at the start of each word. Enable "Add number" and "Add symbol" for characters that satisfy most complexity requirements. These additions are placed randomly within the passphrase — not predictably at the end — preserving the entropy benefit while meeting site policy requirements.
Use visualisation: convert each word to a mental image and link them in a memorable scene. Test recall at 30 minutes, 2 hours, and 24 hours. Store a written backup in a safe or sealed envelope until confident. If you genuinely cannot recall it after this process, generate a new one — try again with different words.
Yes. All generation uses crypto.getRandomValues() in your browser. The wordlist is embedded in the page. Nothing is transmitted to any server — open DevTools → Network → Clear → Generate to verify zero requests during generation. No passphrases are ever stored by this site.
Diceware is a passphrase generation method invented by Arnold Reinhold in 1995. Physical dice produce a random number that maps to a word in a 7,776-word list. This generator uses crypto.getRandomValues() to achieve the same randomness without physical dice. See our Diceware guide →
The NCSC recommends three random words specifically because they balance security and memorability. For stored credentials (in a password manager), randomly generated character passwords are also acceptable. For credentials that must be memorised — device logins, master passwords, encryption keys — a 4–6 word passphrase is the most practical strongly-secure option.
Three words (30 bits from our wordlist) is appropriate for low-stakes accounts with MFA enabled. Four words (40 bits) is the recommended baseline for most accounts. The generator defaults to 4 words. Use 5 or 6 for high-value accounts, master passwords, and encryption keys — the security difference is significant and the memorability cost is modest.
Passphrase Security Guides

The science of memorable security

All guides →

Amazon Security Picks

Hardware and software recommendations verified by our team.

As an Amazon Associate we earn from qualifying purchases.